Intel firmware update that fixes (CVE-2019-14607), through manipulations with the dynamic voltage and frequency control mechanism in the CPU, initiate damage to the contents of data cells, including in areas used in calculations in isolated Intel SGX enclaves. The attack, dubbed Plundervolt, potentially allows a local user to elevate their privileges on the system, cause a denial of service, and gain access to sensitive data.
The attack is dangerous only in the context of manipulations with calculations in the SGX enclaves, since it requires the presence of root rights in the system to carry out. In the simplest case, an attacker can achieve distortion of the information processed in the enclave, but in more complex scenarios, the possibility of recreating the private keys stored in the enclave used for encryption using the RSA-CRT and AES-NI algorithms is not ruled out. The technique can also be used to generate errors in initially correct algorithms to provoke memory vulnerabilities, for example, to organize access to an area outside the allocated buffer.
Prototype code for the attack on GitHub
The essence of the method is to create conditions for the occurrence of unexpected data distortions during calculations in SGX, from which the use of encryption and memory authentication in the enclave does not protect. To introduce distortion, it turned out that it was possible to use standard software interfaces for frequency and voltage control, usually used to reduce power consumption during system downtime and activate maximum performance during intensive work. Frequency and voltage characteristics cover the entire chip, including the impact of performing calculations in an isolated enclave.
By changing the voltage, it is possible to achieve conditions under which the charge is not enough to regenerate the memory cell inside the CPU, and its value changes. The key difference from attack is that RowHammer allows you to change the contents of individual bits in DRAM memory by cyclically reading data from neighboring cells, while Plundervolt allows you to achieve bit changes inside the CPU when the data is already loaded from memory to perform calculations. This feature allows you to bypass the mechanisms used in SGX to control the integrity and encryption of data in memory, since the values ββin memory remain correct, but can be distorted during operations with them, before the result is written to memory.
If this modified value is used in the multiplication process in the encryption process, then the output is rejected with an invalid ciphertext. Having the ability to access the handler in SGX to encrypt their data, an attacker can accumulate statistics about the change in the output ciphertext and, in a few minutes, restore the value of the key stored in the enclave, causing failures. The original text at the input and the correct ciphertext at the output are known, the key does not change, and the output of an incorrect ciphertext indicates a distortion of some bit to the opposite value.
After analyzing the pairs of values ββof the correct and distorted ciphertexts accumulated during different failures, using the methods of differential failure analysis (DFA, ) can probable keys used for AES symmetric encryption, and then, by analyzing the intersections of keys in different sets, determine the desired key.
Various models of Intel processors are affected, including Intel Core 6 CPUs.
through the 10th generation, as well as the fifth and sixth generations of Xeon E3, the first and second generations of Intel Xeon Scalable, Xeon D,
Xeon W and Xeon E.
Recall that the SGX technology () appeared in the sixth generation Intel Core processors (Skylake) and a series of instructions that allow user-level applications to allocate private memory areas - enclaves, the contents of which cannot be read and modified even by the kernel and code running in ring0, SMM and VMM modes. It is impossible to transfer control to the code in the enclave using traditional jump functions and manipulations with registers and the stack - a specially created new instruction is used to transfer control to the enclave, which performs authorization checks. In this case, the code placed in the enclave can use the classic call methods to call functions inside the enclave and a special instruction to call external functions. Enclave memory encryption is used to protect against hardware attacks such as DRAM connection.
Source: opennet.ru